Hibernate CVE-2020-25638

book

Article ID: 206272

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope)

Issue/Introduction

 

A hibernate vulnerability has been detected in APM 10.7

Details are provided in this posting

https://access.redhat.com/security/cve/cve-2020-25638

Environment

Release : 10.7.0

Component : Introscope

Resolution

 

An extra property can be added to the tess-db-cfg.xml in the Enterprise Manager's config folder which mitigates this vulnerability, as documented in the above Red Hat article.

   

     <property name="use_sql_comments">false</property>

 

This is an example of the configuration section with the new property added

 

     <hibernate-configuration>

         <session-factory>

           <property name="em.dbtype">Postgres</property>

           <property name="hibernate.connection.username">admin</property>

           <property name="hibernate.connection.password">password</property>

           <property name="plainTextPasswords">true</property>

           <property name="hibernate.dialect">org.hibernate.dialect.PostgreSQLDialect</property>

           <property name="hibernate.connection.driver_class">org.postgresql.Driver</property>

           <property name="hibernate.connection.url">jdbc:postgresql://127.0.0.1:5432/cemdb</property>

           <property name="hibernate.connection.tcpKeepAlive">true</property>

           <property name="use_sql_comments">false</property>

         </session-factory>

     </hibernate-configuration>

 

This would need to be applied on all members of an Enterprise Manager cluster as all communicate with the database. It will require a restart to take effect.